Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying to Azure API manager removes manually uploaded certificates, without mentioning it in review. #384

Closed
DeeNaxic opened this issue Dec 12, 2024 · 5 comments
Closed

Deploying to Azure API manager removes manually uploaded certificates, without mentioning it in review. #384

DeeNaxic opened this issue Dec 12, 2024 · 5 comments
Labels
Needs: Triage 🔍

Comments

@DeeNaxic
Copy link

Bicep version
Build on an Azure Build Agent:

  • Task AzureCLI Task Version 2.249.8
  • Bicep version 0.31.92
azure-cli                         2.67.0
core                              2.67.0
telemetry                          1.1.0
azure-devops                       1.0.1
msal                              1.31.0
azure-mgmt-resource               23.1.1

Describe the bug
When running a WhatIf deployment, to Azure API manager, it lists NoChanges.
After running the actual deployment, deploying changes around the API manager, the manually (click-ops) uploaded certificates are removed from the API manager, resulting in runtime issues.

To Reproduce

  1. Deploy an API manager using Bicep.
  2. Upload a manual certificates.
  3. Rerun the API deployment (assuming it will list "no change").
  4. Check if the certificate is now removed.

Additional context
It does make sense in some way, the certificate is not part of the IaC, so when deploying the API manager, obviously it shouldn't be there. But it should at least list that it is about to make a change, and not claim that there is no changes about to happen.

Image

Before the deployment, the manual uploaded certificate:
Image
@jeskew
Copy link
Member

jeskew commented Dec 12, 2024

Does the template being deployed use modules? I'm curious if this is an example of short-circuiting or if the certificates are omitted from the GET response.

@jeskew jeskew transferred this issue from Azure/bicep Dec 12, 2024
@DeeNaxic
Copy link
Author

Does the template being deployed use modules? I'm curious if this is an example of short-circuiting or if the certificates are omitted from the GET response.

Yep, it's a main file referencing a local module with the API manager resource.

@jeskew
Copy link
Member

jeskew commented Dec 13, 2024

What parameters are passed to the local module? If any of them are runtime values (e.g., <resource>.properties.<property name> or <resource>.listKeys()), then the module is likely being short-circuited.

If you share the full template or a simplified reproduction, it'd be easier to troubleshoot.

@DeeNaxic
Copy link
Author

We are using references as input to the module for a couple of different resources, and the rest is coming directly from a parameter json file.

This is our main:

module apim 'modules/apimservice.bicep' ={
  name      : 'apim-${parameters.project}-${parameters.environment}'
  scope     : resourceGroup(rg.name)
  params    : {
    apimServiceName             : 'apim-${parameters.project}-${parameters.environment}'
    location                    : parameters.location
    apimSku                     : parameters.apim.apimSku
    apimCapacity                : parameters.apim.apimCapacity
    apimPublisherEmail          : parameters.apim.apimPublisherEmail
    subnetId                    : filter(vnet.properties.subnets, s => s.name == parameters.subnet.name)[0].id
    costumDomain                : parameters.apim.customDomain
    publicipAPIMName            : pip.name
    tags                        : parameters.tags
    productName                 : parameters.apim.product.name
    productDescription          : parameters.apim.product.description
    productState                :'published'
    subscriptionRequired        : false
    applicationInsightName      : appinsights.outputs.name
    logId                       : loganalytics.outputs.id
  }
}

Here are the module (smplfed)

resource apim 'Microsoft.ApiManagement/service@2023-03-01-preview' = {
  name      : apimServiceName
  location  : location
  tags      : tags
  sku       : {
    name      : apimSku
    capacity  : apimCapacity
  }
  
  identity  : {
    type      : identity
  }
  
  properties  : {
    publisherEmail         : apimPublisherEmail
    publisherName          : apimPublisherName
    apiVersionConstraint   : {
      minApiVersion        : minApiVersion
    }
    
    virtualNetworkConfiguration: {
      subnetResourceId     : subnetId
    }
    
    publicIpAddressId      : publicIPAddress.id
    virtualNetworkType     : 'Internal'
    hostnameConfigurations : costumDomain
    customProperties: {
      ...
    }
  }
}

@jeskew
Copy link
Member

jeskew commented Dec 16, 2024

There is a fix in private preview, but wider rollout is currently blocked due to holiday deployment freezes. Please see the linked issue for more details.

@jeskew jeskew closed this as completed Dec 16, 2024
@github-project-automation github-project-automation bot moved this from Todo to Done in Bicep Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage 🔍
Projects
Bicep
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeskew @DeeNaxic